Best Practices for Managing Private Key

Private keys are a form of account credentials, like a username and password. If bad actors obtain a private key, they can use it to harm your business and other parties in the CakeAuth ecosystem.

CakeAuth users own the responsibility of keeping private keys safe. Here are some best practices for how to do that, including by using CakeAuth-offered security features.

Protecting against key leakage

• Use secure key management systems (KMS) to store private keys. When you create a private key from the CakeAuth Dashboard, immediately copy the key to a KMS, which is designed to handle sensitive information with encryption and access controls. Make sure you don’t leave a copy of the key in the local file.
• Grant access only to those who need it. Define a clear policy on which users have permission to create, update or read keys. Limit the access only to those who need it. Audit the access periodically to avoid excess privilege on keys.
• Don’t share private keys using insecure means. Don’t share keys in emails, chat messages, or customer support messages. CakeAuth never asks you for your private key.
• Don’t store keys in source code repositories (such as GitHub). Bad actors might scan public source repositories for leaked keys. Even if the source repository is private, it could be shared with team members on their development environments.
• Don’t embed private keys in applications. Bad actors can exploit private keys by matching a certain string pattern in the application. Avoid embedding keys in applications such as client tools, SDKs, and mobile apps.
• Exercise your ability to roll your API Keys. Defining and exercising a process for rolling keys helps you understand where your keys are being used and prepares your organization in the event your API key is leaked. By having key rolling processes in place you’ll be prepared to respond to a key leak event with a minimum of impact on your business.
• Regular training and updating documentation. Maintain up-to-date documentation about how to handle private keys within your organization and host regular training sessions to make sure best practices are followed.

Adopt security features to protect your integration

• Have dedicated key for each of your services. Create separate API keys for different services or environments (development, staging, production) to limit the blast radius if any key is compromised and make it easier to track usage.
• Roll your private keys. Regularly rotate your API keys as a security best practice to minimize the impact of potential key exposure. This helps ensure that even if a key is compromised, it will only be valid for a limited time.

Handle leaked private keys

If you identified a private leak, such as if a key is accidentally published to GitHub, immediately roll the key from CakeAuth Dashboard and replace your integration with the new key. If you detected abnormal behaviors without confirming that the private key is leaked, we recommended that you roll the private keys proactively while investigating the root cause in parallel.

If CakeAuth detects that a private API key has been exposed, we will immediately notify you and request that you roll the key. It’s crucial for businesses to act promptly to reduce potential damages and financial losses caused by unauthorized use of the leaked key. Depending on the imposed risk and activity on the account, we might decide to roll the key on your behalf. In this case you will receive notifications about any action taken.

CakeAuth doesn’t guarantee that we will detect all leaked keys. You’re responsible for following the best practices to prevent potential key leaks and ensure your integration with CakeAuth is secure.